The Launch of The Academy Website

academyThe Academy (http://www.theacademy.ca) officially launches its web site today providing instructional videos for the information security community. For the first time ever, the average user to the most seasoned industry expert will be able to watch instructional videos on how to install popular products, address common configuration issues, and troubleshoot difficult problems. The Academy is a user driven community and videos are created at the request of its members. Vendors can also leverage the site to showcase the features and capabilities of their products. The Academy is an ideal place to find and share knowledge with others practicing or interested in the information security field.

Yours truly will be contributing as many log related videos as possible so that people understand how to properly make those crazy blinking boxes they have in their racks send logs.

Suggested Blog Reading – Monday February 18th, 2008

ReadUgh….I haven’t had a case of the flu like this for years. I’m finally over it (I think) and hopefully things will be getting back to normal soon.

Here is the list:

PHPIDS – Security Layer & Intrusion Detection for PHP Based Web Applications – This is an interesting tool that I haven’t heard about until today.

PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt.

From the SANS Information Security Reading Room:

Enterprise Security 2008 Learning Guide – Good collection of articles to check out.

2008 won’t just be a year of the same old network, application and compliance issues. New malware has hit the scene, cyberterrorist attacks have become more common, and virtualization technology has presented different enterprise network security challenges. Mike Chapple, Michael Cobb, Joel Dubin, Mike Rothman and Ed Skoudis explore various information security areas and point out the new threats that every organization needs to be ready for.

More on Hating Agents – Everyone hates them but they are required – no, not lawyers….I’m talking about log agents. Anton lists some good pros and cons for leveraging an agent to get you your logs.

I responded to a question about using agents for log collection on a mailing list (semi-public); I think this content also begs to be blogged.

Password Cracking Wordlists and Tools for Brute Forcing – Ever want to find a good word list for your audits?

I quite often get people asking me where to get Wordlists, after all brute forcing and password cracking often relies on the quality of your word list.

Do note there are also various tools to generate wordlists for brute forcing based on information gathered such as documents and web pages (such as Wyd – password profiling tool) These are useful resources that can add unique words that you might not have if your generic lists.

Also add all the company related words you can and if possible use industry specific word lists (chemical names for a lab, medical terms for a hospital etc).

Is the mobile malware threat overblown? – Overblown…maybe. Under-exploited…possibly. Not receiving the amount of attention it deserves…definitely!

The trouble for some IT pros is that security experts have been warning of growing mobile phone attacks for more than three years and the big event has yet to materialize.

Does this mean the mobile phone threat has been overblown all this time, over-hyped by security vendors generating FUD to sell new products? Not exactly.

True, enterprises continue to experience little by way of mobile phone attacks. But that’s only because companies are still limiting the functionality of such devices among employees. Just about everyone uses cell phones with Internet capabilities these days. But in the working world, use of the devices are still limited to making phone calls and checking email.

New Docs at SWGDE – Some new docs on forensics. Thanks Harlan.

The Scientific Working Group on Digital Evidence (SWGDE) has released some new documents, the most notable of which are the Vista Technical Notes, and the document on “Live Capture”.

Could computer forensics help your organisation? – Umm…ya?

Forensics is not yet a mainstream field and descriptions and definitions vary. Yet how do organisations integrate incident response, breach handling and forensic examination into a security strategy? That security strategy should be defined by policies and procedures to minimise security risk at the lowest cost and least disruption. It is a major challenge facing many CIOs…

Scary concept: Friendly worms – If this ever became a reality, which I doubt it will, how long would you expect it would take before someone exploited the updating and transport mechanism to “do evil”?

This isn’t a new idea, the concept of creating worms that patch your computer when you catch them. There are even some malware out there now that patches vulnerabilities on systems to make sure other worms can’t exploit the same vulnerabilities. But the problem is, if both beneficial and malign software show the same basic behavior patterns, how do you differentiate between the two? And what’s to stop the worm from being mutated once it’s started, since bad guys will be able to capture the worms and possibly subverting their programs.

SQL Injection Tutorial Now Available! – Very cool. Good for Oracle in taking a step to help people secure their product and applications.

By taking this self-study tutorial, you can arm yourself with techniques and tools to strengthen your code and applications against these attacks. This tutorial employs text and diagrams to present concepts, design issues, coding standards, processes, and tools. Flash-based demos and simulations allow you to visualize what you have learned, and assessment quizzes help you gauge your learning progress.

Segregating Your Logging for Availability

Although not a new concept, I thought I’d remind people of the benefits of sending your security, system, and application logs across a segregated network to maintain availability. Consider the following scenario:

Your network is experiencing a horrible worm outbreak that is eating up critical bandwidth as it attempts to spread from host to host. All of this malicious traffic is causing your firewalls, intrusion systems, routers, switches, and servers to feverishly log every worm related event they possibly can. The corporate security policy dictates that all event logs are to be sent to a log management server so that no logs are lost.

This remote logging, although small when you consider the size of an individual log (A UDP syslog packet cannot exceed 1024 bytes), does impact available network bandwidth. This is especially true if thousands of logs per second are being transported to a log management or log storage solution through the same path as your regular traffic (1000 logs per second X 1024 bytes = 1,024,000 additional bytes per second — worst case of course). Similarly, a Denial of Service (DoS) or Distributed Denial of Service (DDoS) could also adversely impact the rate at which regular data, and associated logged events, flows through your network infrastructure.

You could investigate implementing QoS rules for your logs on your existing network but all this does is dedicate already sparse network resources to your logging traffic. This is a good solution if your main concern is the availability of your logs but it does nothing to help reserve bandwidth for your network traffic during the outbreak.

If you designate a separate and distinct network segment for the transmission of your logs, you can keep your critical network bandwidth available for regular operation while you mitigate the outbreak. This can be as simple as configuring an additional interface on your device for logging or as complex as creating distinct VLANs for the logging traffic (which, in all honesty, isn’t all that complex a task). Although this is a great solution for maintaining the availability of both your network traffic and your logging traffic, there is an associated infrastructure cost (switches, network interfaces, rack space, power, administration overhead, etc.). Hopefully you can see how this short-term investment will pay off in the long term.

I haven’t discussed the business case for segregating your logging for security reasons but I will in a future article. Segregating your logging for availability, however, is definitely something to think about when you’re planning your logging infrastructure 🙂

Scroll to top